0X501400 01 00 00 00 00 01 47 16 BF 50 14 00 00 76 61
02/21-00:18:35 192.0.205.118:21 -> 216.229.234.199:3547TCP TTL:126 TOS:0x0 ID:35117SFRPAU1 Seq: 0x10000 Ack: 0x147 Win: 0x501400 01 00 00 00 00 01 47 16 BF 50 14 00 00 76 61 ...G..P...va20 20 20 20 20 00 .
Key to Understanding: all the code bits are set; this
can’t be and so these packets are flagged as out of spec.
IDIC - SANS GIAC LevelTwo
©2000, 200112
Note that all the flags in this older Snort detect are set. In October 2000, Marty updated Snort and put the flags in the correct order. Note that the reserved bits are also set. A good analyst does not say ECN congestion notification at this point; that would be out of context with the other six flags.Per the discussion of exactly what a Christmas tree packet is, we see no evidence that any major OS crashes when exposed to this. So, it is not a denial of service attack. Could it be TCP stack analysis, TCP fingerprinting? Sure, but notice the source port though; this actually could be a response of some sort, albeit weird.Today, we refer to these most correctly as Out of Spec or Out Of Specification (OOS) packets. You may also hear these referred to as “Demon net”. In late 1997 and throughout 1998, the Demon Internet, a service provider in the UK and Europe, was known as the source for a large number of anomalous patterns. In the next slides we will look at one of the famous signatures of the Demon Internet pattern to help you practice your technical analysis skills. However, the more important lesson is to never let your technical analysis get in the way of the fundamentals. The most important signature for the Demon Internet patterns were that one of your hosts was always the stimulus. One of your hosts would visit a web server, and a while later a crazy looking packet would come back at you. This means if your site didn’t record outgoing packet traffic, you wouldn’t be able to ascertain this.